How a Terrible Game Cracked the 3DS's Security – Early Days of 3DS Hacking



Tech Rules uses the following royalty free resources:

Additionally, the following YouTube videos were used. Go support the creators!

Zoogie’s awesome timeline:

Here’s part 1 of Yifan Lu’s Gateway Ultra. If you’re looking for an interesting read, you should check it out!

Questions? Comments? Leave a comment or get in contact with me on twitter!

Check out our Discord!

whenever Nintendo releases a new console hackers usually aren't too far behind and the 3ds is no exception just like with their previous consoles it immediately became a high target at the moment it was released back in early 2011 but after learning from their failed attempts to protect the Wii Nintendo substantially up their new handheld security this led to a huge back-and-forth struggle not only between Nintendo and hackers but also among the hackers themselves one that in all honesty I'm really excited to talk about today so without further ado welcome to tech rules the history of 3ds hacking has a rather unique and frankly pretty early start we're talking shortly after release early thanks to the 3ds backwards compatibility with games from the original Nintendo DS the D s was already conquered by hackers long ago in the form of flash cards that could run both backups of retail games and of course awesome homebrew applications made by the hacking community so already having custom code running on the system was cool and all but what did that mean for the rest of the system well not much and the reason for that is because of how the 3ds handles these DS carts in the first place because of some similarities between the hardware of the two devices the 3ds is actually able to set up a virtual v/s to run the game it's not emulation it's more like a DS built into your 3ds we'll call this DS mode and while the way it's set up provides near-perfect compatibility with DS games there's not much we can do with it your DS games are ran within the confines of DS mode you can gain control of it but then what from this virtual box there's no way to access any of the you know three DS parts of the 3ds but hey you still had all your favorite DS games on one kart ROM hacks and lots of cool homebrew that was made for the DS we're talking emulators plenty of custom games useful tools and ports of classics like lemmings and doom it was certainly better than nothing it was around this time that Nintendo was passively attempting to block these flash cards but they're half-hearted attempts were easily bypassed by a flash card update from the companies that made them and while they were at it they've made sure to advertise that their flash carts worked with the 3ds in the process though they seem to have made it look like it runs 3ds games didn't they I mean they're not lying their cards do work with a 3ds I guess but you know exactly what they were trying to imply with this of course this obviously doesn't mean progress wasn't being made on the 3ds front but as with any recently released system hackers were nowhere near gaining enough understanding and control of the 3ds to run homebrew and being able to take control of the system is a goal that's usually only reached much much later often nearing the end of the system's lifespan plus the installation usually requires either a painstakingly complicated process to go through or direct modifications to the hardware itself but it only took two years for something to happen to the 3ds in late 2013 a company called gateway released a flash cart that not only worked on the latest versions of the 3ds but actually played backups of 3ds games no gimmicks no hardware modifications it just worked and this led to an interesting conflict see I already mentioned the hacking community's driving force behind hacking a game system their primary interest is a powerful device that they have full access to whether it be making their own games and useful homebrew or modifying already existing games but there's another very present driving force that persists with every new console release you guessed it piracy this group of people are just comprised of hackers and enthusiasts rather they consist of hundreds of thousands of pirates whose motives can range from those who like to try before they buy or live in a country where games are expensive to those who refuse to even pay a penny for video games an extremely small amount of them are actually hackers and while they do care about the progress of device hacking it's usually only because they want free games this creates a sort of conflict of interest because while hacking enables piracy most people who hacked game systems are against it it's not their goal to enable it and at times they will take drastic measures to ensure it doesn't happen as a result of their work this usually meant that at least around this generation of consoles homebrew paved the way for hacking the piracy only eventually happened as a result of that work and that's what made this situation so interesting gateways main purpose was to enable piracy and they weren't shy about this in fact gateway actually managed to do next to nothing for the homebrew community despite its ability to run official games running a homebrew on it was basically impossible it was a situation where piracy was leading the hacking scene and Gateway was reaping all the benefits and as you probably guessed they couldn't be less interested in furthering the hacking scene according to some numbers crunched by wololo dog net they ended up making millions of dollars in their prime needless to say they did not want anyone finding out how it worked so let's talk a little about how it worked gateway actually came with not one but two cards a red one and a blue one the only purpose of the blue cart was to allow you to launch the red cart that actually did all of the work so what's the secret the blue cart is actually just a normal Nintendo DS flash cart that does something kind of clever I said before that there was no way to mess with the 3d from DS bode and well it's kinda true there are a few ways they still directly communicate with each other one of them being the DS profile the profile on the DS consists of your name and a message used for online play normally you would changes in the DS settings menu but obviously the 3ds doesn't have one instead you fill out this information in the three DS settings app and the three DS changes it accordingly four DS mode this is where gateways inset exploit comes into play since it's trivially easy to take control of DS mode the blue cart does something kind of devious here it changes the DS profile information to an extremely long set of characters if someone were to then go to their DS profile settings the three DS would retrieve that long string and essentially become overloaded with information and from this vulnerable state you can run custom code for example code to run in unauthorized three DS cart this might make some of you think well if people figured out how it worked why not use the same method to run homebrew to put it simply the em set exploit is just something we'll call an entry point and while finding an entry point is the door to running unauthorized code that's literally all it is the door from here you'll need to research and discover other oversights in the system's programming to reach your goal called an exploit chain in fact people actually knew of this exploit before Gateway started using it and while it was a great entry point the rest of gateways code wasn't very useful for making homebrew actually worked very well of course the thing about the 3ds and pretty much every system coming out around this time is it got frequent firmware updates over the Internet so it's no surprise that the exploit was eventually patched out in a firmware update a few months later making gateway inaccessible this put gateway users in a predicament they could update and lose access to Gateway or they can stay on their current firmware and lose access to the eShop and basically all of Nintendo's online services gateway solution to this problem simple do both what I mean is they released an update to their carts that added a new feature it provided the option to copy your entire firmware to your SD card and run it from there this is called immune and short fur emulated and the idea is that users could keep their system NAND on the old firmware that could use gateway and then you could keep the immune and on your SD card on the latest version for online services that's right it was literally dual booting on the 3ds this was going to be gateway strategy as they waited for a new entry point to be found they could take advantage of but that doesn't mean everything was going perfectly for Gateway they had new competition to deal with in the form of clones numerous clones of Gateway were being released using their codes and methods and gateway being you know proudly for profit was not very happy about this loss of revenue the way they decided to approach this problem was that will say aggressive the released notes for their new update stated that they added many stability improvements which is apparently gateway speak for malicious code the code in question looks for changes in the software and if a near found it assumes the card is running on is a clone and self-destruct thing is it doesn't just stop at killing the card it bricks the entire system running the card rendering it unusable when understandably angry owners at brick 3ds has confronted gateway they blamed it on the faulty Hardware of their competitors this obviously goes way farther than than just protecting their code there's a strain of sabotage if they could force all of the clone cards to destroy three DS's the reputation of the clones would plummet to the ground and Gateway would once again be the only safe and trusted method to run 3ds backups well they would have if they're amazing code didn't trigger on actual gateway cards – yeah not even legit owners were safe from gateways bloodthirsty rampage anyway hackers eventually took a look at the code and confirmed yeah the bricks were very intentional the end result of this chaos was countless brick systems and Gateway promising to fix any systems that they're legit cards ruined I would like to save this ruin their company but it didn't sure they basically just shot themselves in the foot but what can you do about it stop using gateway like it or not their flash cards were the only really exciting thing happening in the hacking scene at the time not to mention the only way to play ROM hacks or even play games outside your region however it soon turned out that this wouldn't be true for much longer fast forward to a few months later late March 2014 a talented hacker and programmer named Sneha updated his blog talking about a new exploit he discovered called SSS poem this exploit would not only provide access to actual homebrew but it would work on the latest firmware Sameach had something big an unpatched extremely useful exploit so understandably he wanted to be careful about how we used it if he were to release his exploit at any point Nintendo would immediately patch it and it would never work again the longer he holds on to it the more firmware versions that would work on on top of that any finding that enables homebrew is also eventually going to enable piracy interestingly enough however the blog post actually mentions that this exploit cannot by itself enable piracy meaning that while piracy is still most likely an inevitability with this exploit it would require more than just the exploit to actually achieve it it makes you wonder how Sameach would have handled the exploit if that weren't the case anyway the post went on to say that while he wasn't ready to release it just yet he did want to get it out to trusted homebrew developers that would help create a successful release for the exploit eventually things went by smoothly and Sameach tweeted out that the homebrew loader was almost ready for release and that you would need a specific game to use it he did not however reveal what game it was just yet most likely out of fear that scalpers would buy up the game and sell them at ridiculous prices I say that because there wasn't really any fear that the exploit could be fixed without a software update the company that made the game already went out of business and a patch was unlikely unfortunately Nintendo did actually manage to stop the exploit and loader from being released on time but not in the way you'd think during a Japanese Nintendo Direct presentation in August 2014 Nintendo announced that in a few months they were going to release a new 3ds model called well the new Nintendo 3ds sporting more buttons another stick amiibo compatibility and various upgrades to the hardware this prompted Sameach to hold onto the exploit a little while longer the reason was pretty obvious if the exploit were to be released on time Nintendo would have had plenty of time to ensure it didn't work on their new 3d s the only way to ensure that the new model would be hackable was to delay the exploit a little while longer this was of course met with some backlash from the community was may of saying that he was sorry but he did not want to make any rash decisions time passed the new 3ds came out in Japan and the exploit was confirmed to work in November Sameach prepared for release once again as he finally revealed the game to be used as the entry point cubic ninja was certainly an interesting game one where you moved the ninja by tilting your 3ds but maybe not exactly good because of its poor critical reception in general and popularity it was pretty easy to find this game for under $10 making it an excellent and accessible entry point for s says pwned or as it's now being called nin checks for a few hours everyone immediately started buying cubic ninja in the game skyrocketed in popularity on shopping sites copies started selling out left and right and the copies that were still in stock were being sold for crazy prices before the day was over cubic ninja was hitting lists of hottest 3ds games worldwide it wasn't long before the game was nearly impossible to find and the Japanese digital version was taken down from the eShop and in case you're wondering yes gateway users were perfectly able to pirate the game and take advantage of the exploit that is if you were lucky enough to still be on a firmware version that supported it the entry point for ninja acts was pretty straight forward this might come as a surprise to you but this poorly received 3ds game didn't exactly have the best programming Kubik ninja featured a mode where you could design your own levels and have others play them the chunks of data that make up these custom levels are supposed to be a certain size but the game never actually checks to make sure that they are the right size basically there's nothing stopping you from taking a custom level and adding as much extra data to these chunks as you want and if you add more than the game can handle well there's your entry point the release of ninja acts was a milestone for 3ds hacking not only was thin taxed the first exploit to make homebrew possible but it worked on every 3ds on the latest firmware the real hacking scene was taking off and the iron grasp gateway had over the 3ds was gone or at the very least waning s may have promised the nature of the exploit he used may piracy practically impossible and since the exploit was just released it would be a bit before a lot of impressive homebrew started showing up until then flash cards still had the upper hand speaking of flash cards it's worth mentioning that a pretty impressive one was released during all this ninja oxide sky3ds the difference between gateway in this new flash cart was its approach to running backups well gateway relied on exploits to run unauthorized games sky3ds his method of choice was to replicate a legit game cart entirely allowing it to run on pretty much any firmware the card itself had a red button on it to switch games he would press this button and sky3ds would switch to the next game loaded on the cart this method of back up loading had issues though the main one being it had to deal with the same restrictions of a real 3ds cart any tampering and the 3ds would no longer be fooled this meant no ROM hacks no cheats and no games from outside your region for those reasons it was still better to own we card provided your system could still run not to mention the card had this weird restriction where it can only play ten games and just so we're clear I don't mean ten games at one time I mean ten games ever sky3ds keeps track of what games you've played on it and once you've reached ten it refuses to let you play anymore when I play more games buying other carts naturally this arbitrary limitation didn't go well with the community and after some negative reception lo and behold a new version came out this one had a blue button which was apparently assigned the cart didn't have the stupid tin game limitation anyway time passed and 2014 wrapped up with a huge step forward to a more open and robust hacking scene for the 3ds gateway still being decently relevant at this point kicks off their new year by releasing a new update for their flashcards called gateway ultra yeah I forgot to mention Gateway likes to name their version updates occasionally for some reason last version was Omega I guess it's a marketing thing I don't know so what was so ultra about gateway ultra well simply put they had an exploit for 9.2 that didn't require a game like niche X did and that was great but it would have been even better if the latest firmware at the time wasn't 9.4 but trust me that did not stop them from going out of their way to protect their exploit the code itself was encrypted and obvious skated greatly a good portion of the code was just useless garbage designed to make it even more difficult to reverse engineer this is where yifan luo comes in that name might sound familiar to those of you who followed the vita hacking scene where he was an active hacker in the scene and eventually became part of team molecule but i guess he was looking for a change of pace because he was checking out a 3ds exploit this time around not only did he completely reverse-engineer it but he also made a very nice write-up on it that's a pretty impressive change of pace don't you think in case you were wondering the entry point this time around took advantage of a known vulnerability in a browser engine specifically WebKit most big-name browsers like Chrome and Safari had already fixed at that point but I guess then to know hadn't gotten around to it yet more importantly though the entire exploit chain itself contains some very useful information that helped out the hacking scene quite a bit thanks Gateway ultra it wasn't very long after these findings that rx tools was released a series of very useful albeit old 30s only tools made by GB a temp user Roxas 75 RX tools as main feature was that it could give you access to gateways immune and solution without the need of an actual gateway cart basically you could keep your 3ds on nine-point-two for homebrew access and still be able to to the latest firmware on your SD card however rx tool didn't have its own way to easily boot up homebrew to do this it's custom firmware would have needed to do something about signature checks this part is a bit complicated but I'll try my best to keep it simple in this context a signature is something that your 3ds checks for when attempting to run games and apps if it's not there or something's wrong with it the app doesn't run each signature is unique to the program it was made for and they're impossible to create without the proper tools tools that unfortunately only Nintendo had to run your own apps straight from the home screen without relying on any additional exploits like ninja hacks the signature checks would have to be patched out entirely however doing this would create a different problem piracy if our ex tools were to remove signature checks any program could be executed on the 3ds including games downloaded from the internet it's a bit of a moral dilemma sure this would take away gateways main feature and significantly hurt their piracy fuel profits but I'm sure a good portion of hackers wouldn't want to be responsible for directly enabling a method of piracy it's not like someone can just make their own version of his custom firmware that does the job either our ex tools and by extension the custom firmware our ex mode was closed source its source code was not public and Roxas 75 didn't want any unauthorized changes to be made to it a few months later though someone had leaked information on how to patch signature checks on paste bin a website designed to share code and text in general who did it nobody knows but it probably wasn't meant to be public this information was quickly put to use in the form of pasta cfw the first custom firmware to enable custom apps straight from the home menu and it was open source to boot that being said it didn't have any of the cool features that rx tools had which is probably what led to rx tools being reverse engineered and modified to add these signature patches in as you might have imagined Roxas was not happy about this and it led to a lot and I mean a lots of drama over the course of a few days I'll spare you the details and say that it ended with Roxas finally making rx tools open-source and adding in signature patches himself and with that Roxas announced his departure from the 3ds hacking scene he stated that he wouldn't blame himself for the mistakes he made too much and gave ownership of the RX tools project to the pasta team as he said his goodbyes and there you have it there was now custom firmware they ran homebrew and backups without the need to support gate or any other flashcard business for that matter at this point there was a much room for debate gateway was no longer the king of the three DSC and homebrew was paving the way once again that pretty much covers the juicy bits of the hacking scenes early history from here there were only improvements improvements improvements for a while 9.2 became the firm way to beyond so you could run all these amazing things and methods to downgrade at 9.2 were being made all the time eventually arm 9 loader hacks came out and that exploit persisted across system updates usually you could be on the latest firmware while still maintaining your hacks uh provided you had a way to get it on there and then boot 9 strap was released which did everything arm 9 loader hex did and then more it also may or may not be the actual witchcraft everybody uses a sleek custom firmware called luma 3ds now that's as useful as it is easy to use and all of this is installable on the latest firmware thanks to sodoku not joking it's literally possible because of an oversight and DSiWare games like sodoku not only has Nintendo struggled to patch these hacks out but they've been outright leaving the oversights in with releases of newer 3ds models it's pretty safe to say the 3ds has been cracked wide open now and I hope you enjoyed learning a little bit of how it happened oh but some of you might be wondering what happened to Gateway after all these breakthroughs well after many failed attempts to stay relevant they announced the release of their new flash cards stargate which does well less than the current custom firmware already does for like $80 and to be honest i'm not even sure how well it works because well nobody bought one frankly nobody cares anyway I have something important to say there's a chance this video may have inspired some of you to hack your 3ds and check out all the homebrew would need new content it provides if so cool but I have a word of warning whatever you do please please please do not follow a video guide you found on YouTube video guides are pretty much always outdated and they usually leave out important details that add unnecessary dangers to the process to make it worse a lot of youtubers like to for whatever reason modify the files used to hack the 3ds even though they really don't know what they're doing there are some great resources out there like the website 3ds guy that are thorough and up-to-date if you use a video guide you're only putting your 3ds in unnecessary danger anyway that's the early days of 3ds backing shoutouts to the people in the 3ds hacking scene who usually document their findings pretty well actually I have to especially thank one person in particular called Ziggy who made an extremely helpful timeline on GBA tenth a few years back if I had found that sooner this video would have been much less of a pain to make if you guys have any suggestions for future videos leave a comment or something contact me on Twitter also feel free to tell me any mistakes I've made as well I'll put the corrections in a pinned comment down below I've already got more videos planned so I hope you keep an eye out in the future for more tech rules